Lecture 2: Shared-Key Cryptography

advertisement
Graduate Course on Computer Security
Lecture 2: Shared-Key Cryptography
Iliano Cervesato
iliano@itd.nrl.navy.mil
ITT Industries, Inc @ NRL – Washington DC
http://www.cs.stanford.edu/~iliano/
DIMI, Universita’ di Udine, Italy
December 3, 2001
Outline
• Goals of cryptography
• History
• Symmetric ciphers
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
 Attacks
 Block ciphers
 Stream ciphers
 Data Encryption Standard (DES)
• What is a secure cipher?
Secure C.
Computer Security: 2 – Shared-Key Cryptography
2
Confidentiality
Goals
History
Implement a virtual trusted channel over an
insecure medium
Shared-Key
Attacks
Block C.
Stream C.
DES
E
D
Secure C.
Computer Security: 2 – Shared-Key Cryptography
3
Insecure Channels
External observer can
Goals
History
Shared-Key
Attacks
• Read traffic
• Inject new traffic
• Erase traffic … sometimes
• Modify traffic … sometimes
Block C.
Stream C.
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
4
Classical Goals of Cryptography
Encrypted message
(ciphertext)
Encryption
E
Goals
History
Message
(cleartext,
plaintext)
Decryption
D
key
Shared-Key
Message
(cleartext, plaintext)
Attacks
Block C.
Stream C.
DES
E, D realize a virtual trusted channel, given key
Secure C.
Computer Security: 2 – Shared-Key Cryptography
5
Modern Cryptography
Not just about confidentiality!
• Integrity
 Digital signatures
 Hash functions
• Fair exchange
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
 Contract signing
• Anonymity
 Electronic cash
 Electronic voting
•…
Secure C.
Computer Security: 2 – Shared-Key Cryptography
6
A Brief History of Cryptography
• ~2000 years ago: Substitution ciphers
• A few centuries later: Permutation ciphers
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
• Renaissance: Polyalphabetic ciphers
• 1844: Mechanization
• 1976: Public-key cryptography
Secure C.
Computer Security: 2 – Shared-Key Cryptography
7
A → C
B → E
D → F
…
X → A
Y → B
Z → C
Caesar’s
cipher:
Substitution Ciphers
Replace each letter with another
• Key: substitution table
• How to break it?
 Brute force? 26! possibilities (= 4x1026)
 Count the frequencies of letters, pairs, …
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
 Arabs had tabulated the Koran by 1412
 Ciphertext is enough: ciphertext-only attack
• Example:
QVAQBCWZQRLWDVEFW
IAMINDECIPHERABLE
Computer Security: 2 – Shared-Key Cryptography
A
B
C
D
E
F
G
→
→
→
→
→
→
→
V
E
Z
C
W
G
O
H
I
J
K
L
M
N
→
→
→
→
→
→
→
L
Q
N
H
F
A
B
O
P
Q
R
S
T
U
→
→
→
→
→
→
→
S
R
I
D
U
Y
K
V
W
X
Y
Z
→
→
→
→
→
X
M
T
J
P
8
Permutation Ciphers
k=
1 2 3 4 5
3 5 4 1 2
Switch letters around by a permutation
Goals
• Example: HELLOWORLD → LOLHERDLWO
• Key: permutation
• Breakable with ciphertext-only attack
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
9
Renaissance Ciphers
Use message and key letters for cipher
• Key: a word (CRYPTO)
• Example:
WHATANICEDAYTODAY
+ CRYPTOCRYPTOCRYPT (mod 26)
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
ZZZJUCLUDTUNWGCQS
• Polyalphabetic cipher:
 Encryption of letter is context-dependent
• Seed of modern cryptography
Secure C.
Computer Security: 2 – Shared-Key Cryptography
10
The Enigma
Mechanization
• 1844: invention of telegraph
 Beginning of civilian crypto
• Rotor machines
 Key: initial position of rotors
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
 Culminate in WW II
• 1975: DES
 1996-2000 AES
• 1976: Public key cryptography
We will
examine
in some
detail
Secure C.
Computer Security: 2 – Shared-Key Cryptography
11
Symmetric Ciphers
Encryption
box
M
Goals
History
Shared-Key
Decryption
box
Encrypted message
(ciphertext)
E
Message
(cleartext)
X
X
k
Secret key
Attacks
D
M
Message
(cleartext)
Block C.
Stream C.
DES
Secure C.
Dk(Ek(m)) = m
Computer Security: 2 – Shared-Key Cryptography
12
Properties of a Good Cipher
E, D : {0,1}n x {0,1}l → {0,1}n
• Dk(Ek(m)) = m
 For every k, Ek is an injection with inverse Dk
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
• Ek(m) is easy to compute, given m and k
• Dk(x) is easy to compute, given x and k
 Polynomial in max{n,l} - often linear
• If x = Ek(m), it is hard to find m without k
 Exponential in min{n,l}
Computer Security: 2 – Shared-Key Cryptography
13
Open Design
Kerchoff’s Principle (1883)
The security of a cryptosystem must not depend
on keeping the algorithm secret
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
No security by obscurity
• Better
 Lots of smart but innocuous people dissect it
 Than a single smart malicious
Secure C.
Computer Security: 2 – Shared-Key Cryptography
14
Attack Models
Random
x
Goals
History
Shared-Key
Attacks
Ek(m)
m, x
Ciphertext Only
Chosen
Random
Ek(m)
m, x
Chosen Plaintext
Known Plaintext
Chosen
Dk(x)
x, m
Known Plaintext
Block C.
Stream C.
DES
Secure C.
Good ciphers resist all attack models
Computer Security: 2 – Shared-Key Cryptography
15
Successful Attacks
Decrypt future messages coded with k
• Recover k
 Hard
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
• Often not needed!
 Exploit properties of the cipher
 See Lecture 5 (WEP)
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
16
Differential Power Analysis on DES
Sneaky Attacks
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Detail:
Round 2
• Obtain the key somehow
Round 3
From http://www.cryptography.com/dpa/technical
 Network sniffers, worms, backup tapes, …
 Blackmail, bribery, torture, …
Be careful!
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
• Side-channel cryptanalysis
 Power consumption
 Encryption time
 Radiation
Better implementation
⇒ off-peak computation
⇒ random noise
⇒ physical shielding
and design
Computer Security: 2 – Shared-Key Cryptography
17
Encrypting Long messages
Most algorithms operate on fixed sizes
 E.g. 64 bits for DES
• Block ciphers
 Slice m into m1, …, mn
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
 Add padding to last block
 Use Ek to produce x1, …, xn
 Use Dk to recover m1, …, mn
• Stream ciphers
 Rely on pseudo-random sequence
Secure C.
Computer Security: 2 – Shared-Key Cryptography
18
Electronic Codebook Mode – ECB
• Any identical block
encrypted identically
m:
• Lots of ciphertext
with the same k
• Dictionary attack
Goals
History
Shared-Key
Attacks
Block C.
n bits
Ek
…
Ek
x:
…
n bits
Ek
…
n bits
n bits
 Attacker records blocks
 Substitute them back when appropriate
 Encryption guarantees secrecy, not integrity
Stream C.
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
19
Exclusive OR
Fundamental operation of many ciphers
Goals
History
Shared-Key
Attacks
y
z
y⊕z
0
0
0
0
1
1
1
1
0
1
0
1
• Properties




y⊕y=0
y⊕0=y
y⊕1=y
y⊕z⊕z=y
Block C.
Stream C.
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
20
Cipher Block Chaining – CBC
• Encryption
m:
 x1 = Ek(m1 ⊕ IV)
 xi = Ek(mi ⊕ xi-1)
• Decryption
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
n bits
n bits
…
IV
Ek
Initialization
Vector
 m1 = Dk(x1) ⊕ IV
 mi = Dk(xi) ⊕ xi-1
Ek
…
Ek
…
x:
n bits
n bits
• Widely used
 E.g IPSec
Secure C.
Computer Security: 2 – Shared-Key Cryptography
21
Output Feedback Mode – OFB
• Encryption
m:
 xi = mi ⊕ Ek(IV)i
• Decryption
Goals
 mi = xi ⊕ Dk
n bits
n bits
…
Ek
Ek
…
Ek
IV
(IV)i
Initialization
Vector
History
…
x:
n bits
n bits
Shared-Key
Attacks
Block C.
Stream C.
NB: encryption is never applied to m
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
22
One-Time Pad
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
•
•
•
•
Dk(x) = x ⊕ k
Ek(m) = m ⊕ k
Requires |m| = |k|
Very fast
Perfect secrecy
 Prob[guessing m] = Prob[guessing m|x]
• k should never be reused again!
 x1 = m1 ⊕ k
 x2 = m2 ⊕ k
x 1 ⊕ x 2 = m1 ⊕ m2
• k very large for long messages
 How to distribute it?
Computer Security: 2 – Shared-Key Cryptography
23
Pseudo-Random Bit Generators
• Deterministic functions
 RNG : {0,1}n → {0,1}∞
• Stretch fixed-size seed
to an unbounded sequence
that looks random
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
• Computable approximation
of one-time pad
Example:
i := 0
i := 0
do forever
i := i+1 mod 256
j := j+s[I] mod 256
swap s[i],s[j]
t := s[i]+s[j] mod 256
output s[t]
Seed: initial value of s
Size of state: (2256)256
• Example: RC4
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
24
Stream Ciphers
One-time pad using a RNG
• Use k as seed?
Ek(m) = m ⊕ RNG(k)
 Reuse problem!
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
• Typical usage (e.g., with DES)
Ek(m) = DESk(s) , m ⊕ RNG(s)
strong
fast
 Chose new s each time
Secure C.
Computer Security: 2 – Shared-Key Cryptography
25
DES - Data Encryption Standard
[NIST/IBM/NSA, released 1975]
key
• Message blocks: 64 bits
• Keys: 56 bits
56
Cleartext
block
64
DES
64
Ciphertext
block
• Speed
 Software: 43,000 block/sec ~ 2.7 Mbit/sec
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
 Measured on an old 80486 at 66MHz
 OK for files and web pages
 Too slow for sound and video
 Hardware: 16.8 million block/sec ~ 1 Gbit/sec
 High speed Ethernet: 100 Mbit/sec
 Modem: 56 Kbit/sec
Secure C.
Computer Security: 2 – Shared-Key Cryptography
26
Feistel Networks
Goals
History
Shared-Key
Attacks
Li = Ri-1
Ri = Li-1 ⊕ fi(Ri-1)
Block C.
Stream C.
DES
Round 1
R0 :
⊕
f1
Round 2
L1 :
R1 :
⊕
f2
…
Round k-1
• Arbitrary functions
• Not necessarily invertible
n bits
L0 :
Lk-2 :
Rk-2 :
⊕
Lk-1 :
Round k
f1, …, fk : {0,1}n → {0,1}n
n bits
Rk-1 :
⊕
Lk :
fk-1
fk
Rk :
Secure C.
Computer Security: 2 – Shared-Key Cryptography
27
Inverting a Feistel Network
Theorem
L0 :
For any f1, …, fk : {0,1}n → {0,1}n,
a Feistel network computes a
permutation π : {0,1}n → {0,1}n
Goals
History
Inverse:
⊕
Block C.
Stream C.
DES
Secure C.
R1 :
⊕
Feistel networks convert
 generic functions
 into permutations
Computer Security: 2 – Shared-Key Cryptography
f2
…
Li-1 = Ri ⊕ fi(Li)
Ri-1 = Li
f1
L1 :
Lk-2 :
Rk-2 :
⊕
Shared-Key
Attacks
R0 :
Lk-1 :
Rk-1 :
⊕
Lk :
fk-1
fk
Rk :
28
Inside DES
cleartext
DES is a Feistel network with
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES





16 rounds
64 bit cleartext blocks
56 bits key
f1, …, f16 derived from key
Initial permutation π (public)
64
π
key
56
64
16-round
Feistel
Network
64
 Decryption
 Apply f16, …, f1 (in reverse order)
 Same chip
π-1
64
ciphertext
Secure C.
Computer Security: 2 – Shared-Key Cryptography
29
The Functions fi
48 bits
x
fi(x) = F(x, ki)
• ki derived from k
ki
32
r
56 bits
48
48
 Public key schedule
48
• F: {0,1}32 x {0,1}48 → {0,1}32
is public
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
32 bits
S1
48 bits
 ½ block x expanded to x’
 Public replicator r
6
6 bits → 4 bits
 S-boxes Sj are public
 … where the magic happens
 Rationale was kept secret
 Final permutation π’ is public
4
6
S2
4
6
S3
4
6
6
S4
S5
4
4
6
S6
4
6
S7
4
6
S8
4
32
π’
32
F(x, ki)
 Shuffles input for next round
Computer Security: 2 – Shared-Key Cryptography
30
Attacks on DES
• Exhaustive search
 Given plaintext m and ciphertext x, with high
probability there is a single key k s.t.
x = DES(m,k)
 Trying 106 keys/sec, it takes 2,000 years
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
• However …
 1993, $106 homemade supercomputer breaks
DES in 7 hours (CPA)
• More sophisticated attacks
 Use properties (e.g. DES(m,k) = DES(m,k))
 Linear / differential crypto-analysis
Computer Security: 2 – Shared-Key Cryptography
31
Avoiding Exhaustive Search–3DES
DES is not a group
 Given k1, k2, with high probability there is no
k3 s.t.
Ek1(Ek2(m)) = Ek3(m) for every m
Goals
History
3DESk1,k2(m) = Ek1(Dk2(Ek1(m)))
Shared-Key
Attacks
Block C.
Stream C.
DES
• Key length: 112 bits
• Very popular
DES
encryption
DES
decryption
Secure C.
Computer Security: 2 – Shared-Key Cryptography
32
How about a 2DES?
2DESk1,k2(m) = Ek1( Ek2(m)) ??
• Meet-in-the-middle attack!
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
E
…
Goals
m
X2
X2 56
=?
m1
m2
…
X1
D
m2 56
X
For key length n,
total work is “only”
2n + 2n = 2n+1
Try all possible keys
• Effective key length is just 57 bits!
• Applies to any encryption algorithm
Computer Security: 2 – Shared-Key Cryptography
33
DESX
DES
encryption
DESXk1,k2,k3(m) = k1 ⊕ Ek2(m ⊕ k3)
• Key length: 56 + 2*64 = 184 bits
• However, effective key length is only about
Goals
100 bits
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
34
AES – a Successor to DES
Advanced Encryption Standard
• 1996: NIST issues public call for proposal
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES




Secure for next 50-100 years
Block cipher faster than 3DES
Variable key lengths (128, 192, 256, … bits)
Open design
• 15 algorithms submitted
 Public (and private) crypto-analysis for 4 years
 5 finalists
Secure C.
Computer Security: 2 – Shared-Key Cryptography
35
Oct. 2000: AES Contest Winner
Rijndael, by J. Daemen and V. Rijmen
Goals
History
Shared-Key
Attacks
• Fast (~18-20 cycles to encrypt a byte)
• Small (98 Kb)
• Well understood characteristics
 Bit operations: ⊕, shift, …
• Provides good safety (1.33 safety factor)
Block C.
Stream C.
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
36
When is a Cipher Secure?
m
Ek(_)
Goals
History
x
m
Ek(0)
x
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
Polynomial adversary cannot tell a real
encryption box from a fake one
Computer Security: 2 – Shared-Key Cryptography
37
Formal Definition
Let
 E: {0,1}n x {0,1}l → {0,1}n
 A(x ↔ m) = 1 iff x = Ek(m)
 A algorithm polynomial in key length l
 xm = Ek(m)
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
E is a secure encryption scheme if
∀ polynomial p(_)
∃ L s.t. ∀ l > L
∀ k ∈ {0,1}l
Pr[A(xm ↔ m) = 1] - Pr[A(x0 ↔ m) = 1] < 1/p(l)
Secure C.
Computer Security: 2 – Shared-Key Cryptography
38
Readings
• Andrea Sgarro,
Codici Segreti, 1989
“The comprehensive History of
Secret Communication from
Ancient Times to the Internet”
• David Kahn, The Code-Breakers, 1996
Goals
History
Shared-Key
Attacks
• A. Menezes, P. van Oorschot and S.
Vanstone, The Handbook of Applied
Cryptography, 1996
Block C.
Stream C.
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
39
Exercises for Lecture 2
• Find a way to measure the redundancy in
the ASCII rendering of English (or Italian)
text
• Prove the invertibility of a Feistel network
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
• Why is 3DES immune from the meet-inthe-middle attack?
 Can you explain why 3DES uses only 2 keys?
 What is the cost of breaking y iterated
encryptions with different keys?
Secure C.
Computer Security: 2 – Shared-Key Cryptography
40
Next …
• Public-Key Cryptography
Goals
History
Shared-Key
Attacks
Block C.
Stream C.
DES
Secure C.
Computer Security: 2 – Shared-Key Cryptography
41
Download